TL;DR: You should probably use [`format_html()`](
[To see links please register here]
) rather than `mark_safe`, as recommended by other answers.
The way other answers recommend to use `mark_safe` will just mark the *entire* resulting string as safe HTML. IOW, you're telling Django "This is valid and safe HTML, I have ensured any needed escaping has happened". Except that the other answers do not actually do the required escaping.
Consider the following (imperfect) approach from another answer:
```python
from django.utils.safestring import mark_safe
def image(self, obj):
return mark_safe('<image src="%s" />' % obj.image)
```
If `obj.image` now contains a `"`, or worse, is user input and contains an XSS attack, this will break the resulting HTML.
To prevent this, all data that is interpolated *into* such HTML snippets should be individually escaped beforehand. Fortunately there is the [`html_format()` function](
[To see links please register here]
) which does both interpolation and the needed escaping. With that, the above example would become:
```python
from django.utils.html import format_html
def image(self, obj):
return format_html('<image src="{}" />', obj.image)
```
Note that his uses `{}` format strings rather than `%s`, since `format_html()` is based on `str.format()`, which uses that style.